iOS Point-of-Sale Apps Have Hidden Security Risks

PayPal and Square (above) are secure, but most other iOSpoint-of-sale apps are security risks, researcher says.

Have you ever bought something from a store that used a device plugged into an iPad or iPhone to accept your credit-card payment? If so, your personal information may be at risk, according to a new study.

But Mike Park, a managing consultant at Chicago-based information security company Trustwave, said many businesses that use point-of-sale apps do not understand, or don't correctly implement, the security available to them.

That's not to say that all point-of-sale devices are unsafe. The current generation of apps that come with a magnetic-stripe card reader, such as Square and GoPayment, are safe.

Speaking about iOS point-of-sale app security at the AppSec USA Conference in New York yesterday (Nov. 21), Park said that, two years ago, it took him only 10 minutes to access people's credit-card data from an iPod-based device used at a major retailer. All it took was jailbreaking the iPod, or bypassing the restrictions Apple built into the operating system in order to take full control of the device's capabilities.

A lot has changed in two years, of course, but retailers using older mobile operating systems, outdated software, or, especially, in-house apps they build themselves are still at a high risk.

Because large retailers are more likely to use these in-house solutions, they're often less secure than small retailers who use off-the-shelf products, Park said in an interview with eSecurity Planet, an IT security blog.

Park found that with most of the in-house apps, encrypting the stored card data is an option, not a default. Some also require users to enter credit-card information by hand, which Park said customers should take as a warning sign — it means customer data is, at least temporarily, stored in a nonencrypted form on the device.

Many point-of-sale apps that do implement encryption do so in their software, not in their device's physical hardware. That makes it easier to access the stored data from the device.

When unencrypted credit-card information is easily accessible, store owners might think that having trustworthy employees is enough to protect their customers' data. But that still doesn't protect against man-in-the-middle attacks, in which cybercriminals capture data while it's in transit.

On the whole, Park said, unless a mobile point-of-sale device is using a magnetic-stripe card reader and can encrypt customer data on its hardware, criminals will find it an easy target.